There are several posts about SMS OTP, but all lead to dead ends (broken plugins, un-useable advice/tutorials, etc.). Has anyone successfully implemented SMS OTP, and if so, would you be kind enough to share how? Many thanks!
You can but they are all janky ways that I’ve seen. You’re going to be better off using magic link. Which you can send either via email or SMS.
Same concept but more secure.
Appreciate the reply @chris.williamson1996. Any chance you could provide more info re: sending magic link with SMS?
You can generate it on front end, check the create link but don’t send. Use twilio to send it as a text using (results from step x).
When they click it they will be logged in.
This is still better to do via email but you can get it all working with SMS.
Oh cool, thanks!
I use twilio API for OTP codes. very simple.
were you able to get it work with bubble auth where they aren’t truly logged in until code is correct? Or do you pre log the user in and then restrict app access until code was entered? That’s how I’ve seen many people handle and it opens up a slew of security concerns.
What I do is create a user and set them as “authenticated (false)”.
Authenticated is a boolean data set btw.
When they do the right OTP, then make them authenticated.
Super simple process!
Another advanced approach is making a key for each user. Don’t allow any user any access until they have a key. Don’t give them a key until they have authenticated. This ultimately means to stop using the “current user logged in” method. You would need to use the route “current users key is emtpy/valid = true/false” method in replacement.
@chris.williamson1996 what would be the slew of security concerns having them technically logged in like @GH5T does, but have the blocked out of all data via privacy rules, etc?
A lot of people optimize their apps with the “current user is logged in” method. Which can be a concern on my second approach. The other vulnerability is when you’re logged in, you just have more access to the internals of your database. The only thing I could think really would be privacy rules not being set up appropriately, to actually become a security concern.
I’d like to know as well, I don’t see an issue; but, I’m also very dumb. More importantly, I’d like to know why Ghost pays to send OTPs.
I’ve never paid once for OTP!
My strong hint is to use slug based login and reciprocal proxy accounts between the single click login account and the users actual password protected account.